This is my simple playbook,
---
- name: test
hosts: all
tasks:
- name: testing
shell: /usr/bin/whoami
register: testing
- name: show the result
debug:
msg: "{{ testing.stdout }}"
When I try to use this using user1 I get correct the expected output as user1.
However, my requirement is to run the shell command using a root user. something like sudo whoami. So I modified the playbook like this.
---
- name: test
hosts: all
tasks:
- name: testing
shell: /usr/bin/whoami
become: true
register: testing
- name: show the result
debug:
msg: "{{ testing.stdout }}"
However, I keep getting following error,
fatal: [xxxxxxxxx]: FAILED! => {
"msg": "Missing sudo password"
}
Can anybody please help understand what I am missing here?
To allow the user1 to run this as sudo root, I have added following entry in the sudoers file.
user1 ALL=(ALL:ALL) /usr/bin/whoami
Also, to avoid the providing user1 password, I added following entry to the local ansible.cfg
[privilege_escalation]
become_ask_pass=False
Still getting the same error mentioned above.
user1 ALL=(ALL) NOPASSWD: ALLworks fine. But our security team is not agreeing to this.
An example playbook
---
- hosts: test
become: true
gather_facts: false
tasks:
- name: Execute
shell:
cmd: "id"
register: output
- debug:
var: output
with an output of
TASK [debug] ************************************************
ok: [test.example.com] =>
output:
changed: true
cmd: id
delta: '0:00:00.014084'
end: '2024-01-09 10:55:00.340407'
failed: false
msg: ''
rc: 0
start: '2024-01-09 10:55:00.326323'
stderr: ''
stderr_lines: []
stdout: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
stdout_lines:
- uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
shows with sudo tail -F /var/log/secure on the Remote Node
Jan 9 10:55:00 test.example.com sshd[32004]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.0.2.1 user=ansible_user
Jan 9 10:55:00 test.example.com sshd[32004]: Accepted password for ansible_user from 192.0.2.1 port 48984 ssh2
Jan 9 10:55:00 test.example.com sshd[32004]: pam_unix(sshd:session): session opened for user ansible_user by (uid=0)
Jan 9 10:55:00 test.example.com sudo: ansible_user : TTY=pts/6 ; PWD=/home/ansible_user ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-<id> ; /usr/bin/python /home/ansible_user/.ansible/tmp/ansible-tmp-<timestamp>-<id>/AnsiballZ_<modulename>.py
Jan 9 10:55:00 test.example.com sudo: pam_unix(sudo:session): session opened for user root by ansible_user(uid=0)
Jan 9 10:55:00 test.example.com sudo: pam_unix(sudo:session): session closed for user root
To Summarize
How to decide what all commands I need to add explicitly?
The command executed in the example was
/bin/sh -c echo BECOME-SUCCESS-<id> ; /usr/bin/python /home/ansible_user/.ansible/tmp/ansible-tmp-<timestamp>-<id>/AnsiballZ_<modulename>.py
Therefore you could try to add in sudoers file a line at the end, like in tail -1 /etc/sudoers
#includedir /etc/sudoers.d
and under /ect/sudoers.d a file /etc/sudoers.d/ansible
ansible_user ALL=(ALL) NOPASSWD: /bin/sh -c echo BECOME-SUCCESS-* ; /usr/bin/python *
for Ansible Modules written in Python.
Further Reading